kernel install issue: /sbin/depmod - avc's supplied

Tom London selinux at comcast.net
Fri Jun 4 21:37:57 UTC 2004 

I'm presuming this is a know issue, but just in case....

kernel installs (via 'yum update') when running in strict/enforcing fail. 
Now that I have kernel-2.6.6-1.421 installed and running, I have avc's
from /var/log/messages.  Here are just a few:

    Jun  4 14:03:16 dell kernel: audit(1086382996.206:0): avc:  denied  
{ read } for  pid=3643 exe=/sbin/depmod name=toshiba.ko dev=hdb3 
ino=1056054 scontext=root:sysadm_r:depmod_t 
tcontext=system_u:object_r:lib_t tclass=file
    Jun  4 14:03:16 dell kernel: audit(1086382996.206:0): avc:  denied  
{ read } for  pid=3643 exe=/sbin/depmod name=ppdev.ko dev=hdb3 
ino=1056048 scontext=root:sysadm_r:depmod_t 
tcontext=system_u:object_r:lib_t tclass=file
    Jun  4 14:03:16 dell kernel: audit(1086382996.207:0): avc:  denied  
{ read } for  pid=3643 exe=/sbin/depmod name=edd.ko dev=hdb3 ino=1069944 
scontext=root:sysadm_r:depmod_t tcontext=system_u:object_r:lib_t tclass=file
    Jun  4 14:03:16 dell kernel: audit(1086382996.207:0): avc:  denied  
{ getattr } for  pid=3643 exe=/sbin/depmod 
path=/lib/modules/2.6.6-1.422/build/sound/oss/dmasound/Makefile dev=hdb3 
ino=1036012 scontext=root:sysadm_r:depmod_t 
tcontext=system_u:object_r:lib_t tclass=file
    Jun  4 14:03:16 dell kernel: audit(1086382996.208:0): avc:  denied  
{ getattr } for  pid=3643 exe=/sbin/depmod 
path=/lib/modules/2.6.6-1.422/build/sound/oss/dmasound/Kconfig dev=hdb3 
ino=1036011 scontext=root:sysadm_r:depmod_t 
tcontext=system_u:object_r:lib_t tclass=file
    Jun  4 14:03:16 dell kernel: audit(1086382996.208:0): avc:  denied  
{ getattr } for  pid=3643 exe=/sbin/depmod 
path=/lib/modules/2.6.6-1.422/build/sound/oss/Makefile dev=hdb3 
ino=1036006 scontext=root:sysadm_r:depmod_t 
tcontext=system_u:object_r:lib_t tclass=file

The contexts in the rpm appear correct (i.e., most are 
system_u:object_r:modules_object_t, or similar), but the files in 
/lib/modules/2.6.6-1.422/.... are all labeled system_u:object_r:lib_t.

Anyway, /sbin/depmod is having a hell of a time.

Thanks to Stephen, the workaround of going into permissive mode prior to 
'yum update' seems to work, but the file contexts need fixing.

I checked bugzilla for yum but didn't find anything.  Has this been 
filed/fixed?

tom

More information about the fedora-selinux-list mailing list